Printable View
So far good information. It looks like the best thing would be to get my mail server and web servers in a DMZ. My problem with the PIX 506 is that it only has 1 ethernet port. I've checked with the documentation and a DMZ on this model is not possible. Am I missing something? Should I upgrade to a larger PIX or maybe put something like a SmoothWall in front to create the DMZ and have the PIX behind protecting my lan?
The thing is I'm not really trying to protect our assets against scriptkiddies or the odd worm. That's easy. All it takes is a bit of common sence and up2date and hardened systems to thwart them.
I'm trying to protect our assets against people that are determined to get in. Those are the ones that pose a real threat. Those are the ones that can really take you down. It may not be likely but we fear the one that succeeds. We could end up with a couple of huge headlines in the papers. That's bad for the company I work for (marketshares plummeting, customers leaving) and that in turn is bad for my job security ;)
The 506 is already marked end-of-sale/end-of-life so you'll need to get a new one anyway if you want support from Cisco. If you like the PIX (it's a good firewall anyway!) buy a bigger one but it doesn't hurt if you shop around abit. There are lots of other good alternatives.
Think about what you want or where you need it for. If you're going to buy a new one, think about the future too. You don't want to be stuck next year with an expensive firewall that doesn't have the features you need.